[ovirt-users] Ip spoofing

Punit Dambiwal hypunit at gmail.com
Wed Jul 9 09:56:51 UTC 2014


Hi Jure,

It's ok....but what about if user will spoof the ip on the eth0:0....then
the mac address will be same as eth0 ?? how we can control this ??

Thanks,
Punit D


On Wed, Jul 9, 2014 at 3:38 PM, Jure Kranjc <jure.kranjc at arnes.si> wrote:

>  Hi,
>
> I don't know if this is much help but here is our setup which works in a
> way that users cannot spoof public IP from inside VM.
> We've set up a MAC pool range on engine and a DHCP server on one VM, this
> server assigns IPs according to VMs MACs.
> We use CentOS6 nodes (and engine 3.3.5). The node always sees the VM's NIC
> by it's ovirt MAC, even if user changes it from inside VM.
> Now the solution was ebtables (bridge tables). We've set rules on bridge
> to public network which drops packets if they don't come from legit MAC/IP
> combination. Example:
>
> -A FORWARD -p IPv4 -s 0:1a:4a:f9:xx:xx --ip-src ! IPADDRofVM -j DROP
>
> Any comments on the setup are appriceated.
>
> JureKr
>
> On 06/19/2014 10:23 AM, Punit Dambiwal wrote:
>
> Hi,
>
>  I have setup Ovirt with glusterfs...I have some concern about the
> network part....
>
>  1. Is there any way to restrict the Guest VM...so that it can be assign
> with single ip address...and in anyhow the user can not manipulate the IP
> address from inside the VM (that means user can not change the ip address
> inside the VM).
>
>  Thanks,
> Punit
>
>
> _______________________________________________
> Users mailing listUsers at ovirt.orghttp://lists.ovirt.org/mailman/listinfo/users
>
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20140709/4572baf3/attachment-0001.html>


More information about the Users mailing list